One of the reasons it is on a separate page is security. You'll notice that their front page is http and the login page is https. As for why the login page doesn't have anything else on it, it is probably to minimize distraction. There is no reason you would be at that page other than to login, so why have other elements on the page?

It really shouldn't matter as long as the form action is through HTTPS.
–
Lèse majestéNov 19 '10 at 22:22

1

From what I understand, it does matter if the transmitting page is http and the subsequent page is https. For example, in their current setup, it would be insecure to allow for login on the front page as is because it is transmitting the username and password. The transmission wouldn't be secure. However, if the front page is also https, it wouldn't be a problem.
–
Virtuosi MediaNov 19 '10 at 23:50

1

So you're saying that if a form is served up via HTTP then when the browser sends the data to an HTTPS URL it won't be transmitted through HTTPS? AFAIK, when you click on an HTTPS link on your browser on a non-secure page, it will still fetch the page via HTTPS. I don't see why a form GET/POST would be any different. The previous location of the browser doesn't matter, only the protocol of the request. I could initiate an HTTPS request from a desktop app if I wanted to.
–
Lèse majestéNov 20 '10 at 0:03

2

After more research, it seems that there is a common security concern with not using HTTPS on the login form page. It's not that the data won't be encrypted, but rather than the page could be susceptible to a MITM attack. However, IMO, in such an unlikely case, the attacker could simply intercept the unencrypted DNS lookup. So you're still screwed. But admittedly I'm in the minority here.
–
Lèse majestéNov 20 '10 at 1:29

Upvoted the comment about the unencrypted transmission, not because the transmission may or may not be encrypted, but because it will be perceived as such simply because the "secure lock" hasn't appeared yet.
–
Marjan VenemaNov 20 '10 at 13:55

I think it's probably done partly for aesthetic purposes. It's cleaner and in some cases more usable. Having a login box on every page can clutter the screen. And having to find a sign-in button hidden in the corner of the layout every time you want to log in is less convenient than simply being able to bookmark the sign-in page.

This isn't a site like StackOverflow or Facebook where you have a content-based site that doesn't require signing in to use. You have to sign in in order to access the service, so the public and private sections of the site are completely separate. It's not like the user is going to sign in and then stay on the current page to post a comment.